In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related news- Hacking Tools 2020
- Best Hacking Tools 2020
- Hacking Tools For Mac
- Hacker Tools
- Best Hacking Tools 2020
- Hack Website Online Tool
- Pentest Tools Linux
- Hacker Tools Online
- Game Hacking
- Hack And Tools
- Hack Tools
- Hack Tools For Mac
- Hack And Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Windows
- Pentest Tools Open Source
- Computer Hacker
- Hacking Tools For Windows Free Download
- Pentest Tools Framework
- Pentest Tools For Android
- Hacker Techniques Tools And Incident Handling
- Nsa Hack Tools Download
- Termux Hacking Tools 2019
- Hacking Tools Github
- Hack Tools For Ubuntu
- Hacker Search Tools
- Pentest Tools Port Scanner
- Hacker Tools
- Pentest Tools Bluekeep
- World No 1 Hacker Software
- Pentest Tools Port Scanner
- Hack Tools Github
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Windows 10
- Pentest Tools Find Subdomains
- Nsa Hacker Tools
- Hacking Tools Github
- Pentest Tools Website
- Pentest Reporting Tools
- Hacking Tools For Kali Linux
- Hacking Tools Pc
- Free Pentest Tools For Windows
- Bluetooth Hacking Tools Kali
- Hacking Tools 2019
- Hacking Tools For Beginners
- Pentest Tools Windows
- Usb Pentest Tools
- Pentest Tools Website
- Pentest Tools Open Source
- Hacking Tools Kit
- Hack Tools Download
- Hack Tools Mac
- Install Pentest Tools Ubuntu
- Kik Hack Tools
- Hacking Tools Free Download
- Hacker Tools Linux
- Pentest Tools Free
- Hacker Hardware Tools
- Pentest Tools For Ubuntu
- Hacker
- Hackers Toolbox
- Wifi Hacker Tools For Windows
- Hack Tool Apk
- Hacker Tool Kit
- Bluetooth Hacking Tools Kali
- Hacking Tools 2019
- Hacking Tools Pc
- Pentest Tools Windows
- Kik Hack Tools
- Hack Tools For Windows
- Pentest Reporting Tools
- Hacker Tools Windows
- Tools Used For Hacking
- Hack Tools Pc
- Hacker Tools List
- Hak5 Tools
- Game Hacking
- Hacking Tools For Mac
- Hacker Tools For Pc
- Hack Tools
- Hacking Tools Usb
- New Hack Tools
- Hacker Techniques Tools And Incident Handling
- Pentest Tools For Android
- Android Hack Tools Github
- Top Pentest Tools
- Hacker Tools For Ios
- Hack Tool Apk
- Pentest Tools Url Fuzzer
- Pentest Tools Find Subdomains
- Hacking Tools And Software
- Hacking Tools
- Pentest Tools
- Hacking Tools Mac
- Top Pentest Tools
- Pentest Tools Find Subdomains
- Pentest Tools Free
- Pentest Tools List
- Hack Tools
- Pentest Tools For Android
- Hack Tools For Games
- Hack Tools For Games
- Hacker Tools
- Hacking Tools And Software
- Bluetooth Hacking Tools Kali
- Hacker Tools For Pc
- Pentest Tools Windows
- Usb Pentest Tools
- Pentest Tools Review
- Hacker Tools For Windows
- Pentest Tools Review
- Hacker Tools 2020
- Hacking Tools For Mac
- Hacking Tools For Mac
- Pentest Box Tools Download
- Underground Hacker Sites
- Pentest Tools Subdomain
- Pentest Tools Subdomain
- Pentest Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Hack Tools Mac
- Ethical Hacker Tools
- Hack Tools 2019
- Beginner Hacker Tools
- Kik Hack Tools
- What Are Hacking Tools
- Pentest Tools Bluekeep
- Hacking Tools Mac
- Hacker Techniques Tools And Incident Handling
- Hacking Tools For Pc
No hay comentarios:
Publicar un comentario